Simply install box-js from npm:
npm install box-js --global
Looking to use box-js with Cuckoo? Use cuckoo-package.py as an analysis package.
Let’s say you have a sample called sample.js: to analyze it, simply run
Chances are you will also want to download any payloads; use the flag –download to enable downloading. Otherwise, the engine will simulate a 404 error, so that the script will be tricked into thinking the distribution site is down and contacting any fallback sites.
Box.js will emulate a Windows JScript environment, print a summary of the emulation to the console, and create a folder called sample.js.results (if it already exists, it will create sample.js.1.results and so on). This folder will contain:
- analysis.log, a log of the analysis as it was printed on the screen;
- a series of files identified by UUIDs;
- urls.json, a list of URLs contacted;
- active_urls.json, a list of URLs that seem to drop active malware;
- resources.json, the ADODB streams (i.e. the files that the script wrote to disk) with file types and hashes;
- IOC.json, a list of behaviors identified as IOCs (Indicators of Compromise). These include registry accesses, written files, HTTP requests and so on.
You can analyze these by yourself, or you can automatically submit them to Malwr, VirusTotal or a Cuckoo sandbox: for more information, run box-export –help.
For further isolation, it is recommended to run the analysis in a temporary Docker container. Consult integrations/README.md for more information.
If you wish to automate the analysis, you can use the return codes – documented in
integrations/README.md– to distinguish between different types of errors.
While box.js is typically used on single files, it can also run batch analyses. You can simply pass a list of files or folders to analyze:
By default box.js will process samples in parallel, running one analysis per core. You can use a different setting by specifying a value for –threads: in particular, 0 will remove the limit, making box-js spawn as many analysis threads as possible and resulting in very fast analysis but possibly overloading the system (note that analyses are usually CPU-bound, not RAM-bound).
You can use –loglevel=warn to silence analysis-related messages and only display progress info.
After the analysis is finished, you can extract the active URLs like this:
Copyright (c) 2016 CapacitorSet